Pod2g has now documented technical details about how he was able to uncover his untether–on his own. Details are provided around the userland and kernel exploits used. Here’s a snippet:

Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.

1. the user land exploit

Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.

By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :
– the interposition exploit
– the initializer exploit

If you understand what pod2g is talking about, it’s worth the read. Well done.